diff --git a/flake.nix b/flake.nix
index b5dd818..9d7fd01 100644
--- a/flake.nix
+++ b/flake.nix
@@ -37,11 +37,27 @@
       deploy = pkgs.writeShellScriptBin "nhs" ''
         nh os switch --hostname extremist-software --target-host root@extremist-software path:. "$@"
       '';
+      check-secrets = pkgs.writeShellScriptBin "check-secrets" ''
+        set -euo pipefail
+        failed=0
+        for f in secrets/*.age; do
+          last=$(agenix -d "$f" | tail -c 1 | od -An -tx1 | tr -d ' \n')
+          if [ "$last" = "0a" ]; then
+            echo "FAIL: $f has trailing newline"
+            failed=1
+          fi
+        done
+        if [ "$failed" -eq 0 ]; then
+          echo "All secrets OK: no trailing newlines"
+        fi
+        exit $failed
+      '';
     in pkgs.mkShell {
       packages = [
         pkgs.nh
         inputs.agenix.packages.x86_64-linux.default
         deploy
+        check-secrets
       ];
     };
   };